kde/kdm + nsswitch + ldap = nologon

Joe Kraft jvk-list at thekrafts.org
Sat Mar 7 15:09:11 PST 2009

Tim Judd wrote:

> On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft <jvk-list at thekrafts.org> wrote:
>> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend.  The
>> intent is to use ldap directly for FBSD clients and Samba for MS Windows
>> clients.
>> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is
>> setup and seems to be working fine, I can log in locally or through SSH
>> using the ldap accounts.
>> I'm working on the first client which is a FBSD 7.1 machine.  I can use
>> ldap to login on this machine, but I'm having issues with logging in
>> using
>> kdm.  I can see all the users both from local files and from ldap, but I
>> can't log in using either.  Even when kdm won't allow a login, I can
>> <ctrl><alt><F8> and get a normal login shell and login with local or ldap
>> accounts.  The ldap lines are included in my /etc/pam.d/kde file.
>> If I remove ldap from the nsswitch.conf file it will start working with
>> local logins on kdm again.
>> I ran into a bug report from last summer that appears to still be open
>> with exactly the same issue
>> (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 ).
>> Does anyone know a workaround or have a patch for the issue?  I can
>> provide config files and such if anyone thinks it might help.
>> Thanks,
>> Joe.
> True SSO is accomplished by Kerberos.  Your LDAP implementation is
> re-authenticating/re-authorizing on every service.
> I'm by NO means an expert with pam -- it confuses me, but there are some
> basic concepts that I think  there might be missing in your setup.
> First question I've got is shouldn't you need to create the rules for kdm
> in a file called 'kdm' in pam?
> Second is that some options/arguments that pam can use such as
> USE_FIRST_PASS would probably help you here.
> Third is whether the sufficient/required column in the pam file is there.
> Now we have to deal weather kdm uses pam or nsswitch.  And if it uses
> nsswitch, then we have to go through all that troubleshooting all over
> again.  Or maybe it doesn't even have any concept to use alternate auth
> mechanisms other than just the local files...
> I'm only providing an insight to something your eyes may have overlooked.
> I hope this triggers something to get it working.  G'luck

Thanks for the thoughts, I had Kerberos set up once when I was going the
other way...with all clients working through an AD domain.  I'm trying to
go the other way now and get everything working through a Samba Domain.  I
might look into it again in the future once I get the basics working.

I thought maybe I had it when you mentioned creating rules for kdm instead
of kde in pam.  Unfortunately it didn't work.

kdm seems to use nsswitch to get the names, because if I use the
line "passwd: files ldap" in nsswitch.conf kdm shows me all the ldap users
as well as the local users with their icons down the left side of the login
window.  I just can't use them to login, no matter what I do it tells me my
password is invalid.  I can't even get it to login with a local account
from 'files'.  What I can do is drop to one of the other ttys and use an
accounts with the same password that failed in kdm to login.  I'm using the
same pam file for login as I am for kde (and now kdm).

All I have to do is change the line to "passwd: files" and I can login again
with the local accounts through kdm again.

Certainly doesn't make sense to me right now...


More information about the freebsd-questions mailing list